1. Field of the Invention
The present invention relates in general to authentication, and in particular to authenticated changing of modes in controlled devices.
2. Background Art
Broadcast media services, in general, are operated according to a model where a service provider receives programming content from one or more content providers at a service provider facility. The service provider then distributes that programming content, possibly after additional processing, to numerous subscribers over a media distribution network. The service provider can be a large multi service operator (MSO) that provides cable television as a broadcast media service. As the technologies related to multimedia and data transmission networks improve, and also as technologies such as high definition television displays that enhance the corresponding user experience improve, broadcast media services are relied on to distribute an increasing amount of content. The media distribution networks of MSOs are utilized to distribute an increasingly substantial portion of the digital content that flows into homes and businesses. The digital content includes television programming, video on demand, pay-per-view content, music, interactive content, games, educational content, remote monitoring services, etc.
The service provider typically operates the facility in which content from various sources is received, aggregated, processed, and distributed. The service provider facility that distributes content over a service provider network, such as a cable television network, is generally referred to as a headend. In many instances, the service provider also provides equipment, such as a set-top box (STB), to be placed at the premises of each subscriber. The STB is, in general, a controlled device that is controlled by the service provider from the headend of the corresponding media distribution network. The STB includes the functionality to receive content transmitted from the service provider headend, and to descramble and/or decrypt that content. The subscriber can, and usually does, couple at least one device such as a television to the STB.
An STB may include other capabilities in addition to descrambling and/or decrypting. For example, many STBs enable interactivity for the user, such as to order pay per view movies, to enable personal video recording and viewing, and to use on demand viewing capabilities, etc.
The pirating of programming content by third parties and the unauthorized use of content by subscribers are significant concerns to service providers. Conditional access is a framework used in many broadcast media distribution systems to prevent or reduce the pirating and unauthorized use of content. A service provider engages the services of a conditional access provider to scramble and/or encrypt content, such as programming content, before transmission over the media distribution network, and to descramble and/or decrypt that content at an STB of an authorized subscriber.
The keys (i.e., cryptographic keys) used for scrambling/descrambling and/or encryption/decryption may be generated and/or verified by the conditional access provider. The strength of the content protection is to a substantial extent dependent on the secrecy of the keys and characteristics of the keys and algorithms used for encryption/decryption and/or scrambling/descrambling. In addition to the cryptographic strength of each key, the secrecy of the keys is also of great importance.
In a typical conventional broadcast media distribution network a single conditional access provider protects the programming content that is distributed. Also, STBs are manufactured and/or initialized to be specific to a particular service provider and conditional access provider. In a typical scenario, a conditional access provider will create and/or otherwise obtain one or more unique keys for each new STB that is manufactured for deployment in a network serviced by that conditional access provider. The collection of these key and STB pairs is often referred to as the conditional access provider's key database. The key database is accessible to the service provider's headend, and therefore the one or more keys that correspond to each STB are known to the headend.
Typically, a conditional access provider also provides a black box device that is used to initialize each STB at the time of manufacture with one or more keys that are to be subsequently used in the STB when the STB is activated in a network of a service provider. One or more keys from the black box device can be written into the one time programmable (OTP) memory of each STB. For example, keys from the black box device can be securely written to a system-on-a-chip (SoC) that is then included in an STB. In some cases, the keys are written into the OTP memory in an obfuscated form to make unauthorized access to the keys more difficult, and each key is de-obfuscated only at the time of use.
It may be desirable to have STBs that are usable in the networks of multiple service providers. Particularly, as STBs become capable of much more functionality than the decoding and delivering of received content, subscribers can increasingly seek to have STBs that can operate with multiple service providers and/or multiple media distribution networks. Also, the conditional access provider servicing an STB can change due to several situations, such as, the service provider switching conditional access providers, another conditional access provider operating in the same network, or the STB being moved to a new network.
When the conditional access provider is changed, an STB can no longer receive programming content in a manner useful to the subscriber unless another conditional access provider's keys are made available to the STB. To be able to receive programming content protected by more than one conditional access provider, conventionally all conditional access providers that want to send content to an STB would be required to store their corresponding key or keys in the STB at the time of manufacture. For example, an OTP memory in an STB can be programmed with the key databases of each conditional access provider that want to provide services to that STB. Also, each headend would have access to the key databases of each conditional access provider that can provide services to any STB in the corresponding network. This approach generally leads to a conditional access provider having to share its keys, particularly the encryption keys, with other conditional access providers. In deployed networks the sharing of keys also takes place due to the inability to store more than a very limited number of keys in the memory of a single SoC or STB, and as a result of the need to support an STB when it change over to a conditional access provider for which the STB does not have preprogrammed key information. Such sharing of keys can expose one conditional access provider to the weaknesses in key management of another conditional access provider.
Therefore, although enabling an STB to operate with multiple conditional access providers provide numerous advantages, the sharing of encryption keys between conditional access providers unnecessarily exposes a media distribution system to the weaknesses of the less secure conditional access providers. For example, if conditional access provider A has its key database exposed to an attacker, that attacker may now be able to attack a second service provider network if the exposed keys are shared with a conditional access provider who services the second service provider network. Clearly, methods and systems to enable an STB to receive programming content through multiple conditional access providers without sharing of encryption keys would be useful.